[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Wednesday, December 2, 2020 @ 17:23:57 Author: heftig Revision: 402808 5.4.81-1 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch ---+ 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch | 55 -- PKGBUILD |8 - 2 files changed, 3 insertions(+), 60 deletions(-) Deleted: 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch === --- 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch 2020-12-02 17:23:51 UTC (rev 402807) +++ 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch 2020-12-02 17:23:57 UTC (rev 402808) @@ -1,55 +0,0 @@ -From a163474e9b86c2c25f20733385d8b1d6de492a7f Mon Sep 17 00:00:00 2001 -From: Ard Biesheuvel -Date: Wed, 25 Nov 2020 08:45:55 +0100 -Subject: efivarfs: revert "fix memory leak in efivarfs_create()" - -The memory leak addressed by commit fe5186cf12e3 is a false positive: -all allocations are recorded in a linked list, and freed when the -filesystem is unmounted. This leads to double frees, and as reported -by David, leads to crashes if SLUB is configured to self destruct when -double frees occur. - -So drop the redundant kfree() again, and instead, mark the offending -pointer variable so the allocation is ignored by kmemleak. - -Cc: Vamshi K Sthambamkadi -Fixes: fe5186cf12e3 ("efivarfs: fix memory leak in efivarfs_create()") -Reported-by: David Laight -Signed-off-by: Ard Biesheuvel - fs/efivarfs/inode.c | 2 ++ - fs/efivarfs/super.c | 1 - - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c -index 96c0c86f3fff..0297ad95eb5c 100644 a/fs/efivarfs/inode.c -+++ b/fs/efivarfs/inode.c -@@ -7,6 +7,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -103,6 +104,7 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - var->var.VariableName[i] = '\0'; - - inode->i_private = var; -+ kmemleak_ignore(var); - - err = efivar_entry_add(var, &efivarfs_list); - if (err) -diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c -index f943fd0b0699..15880a68faad 100644 a/fs/efivarfs/super.c -+++ b/fs/efivarfs/super.c -@@ -21,7 +21,6 @@ LIST_HEAD(efivarfs_list); - static void efivarfs_evict_inode(struct inode *inode) - { - clear_inode(inode); -- kfree(inode->i_private); - } - - static const struct super_operations efivarfs_ops = { Modified: PKGBUILD === --- PKGBUILD2020-12-02 17:23:51 UTC (rev 402807) +++ PKGBUILD2020-12-02 17:23:57 UTC (rev 402808) @@ -1,8 +1,8 @@ # Maintainer: Andreas Radke pkgbase=linux-lts -pkgver=5.4.80 -pkgrel=2 +pkgver=5.4.81 +pkgrel=1 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -18,7 +18,6 @@ config # the main kernel config file 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch - 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch sphinx-workaround.patch ) validpgpkeys=( @@ -26,12 +25,11 @@ '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('49da425c1f3c530fd3ff31d85a0461f6b6dc6e459f7faf3eee23e49a98ce64c7' +sha256sums=('9470bde475726996202d845a5fc3bc8bd3bb546bbc6816fb663fa73df25d8427' 'SKIP' '760ec068a7a1d8e6d4af17c2a77bd0bcec6198ba31e003f6304313d43e3632a0' 'b439f57b84bc98730c0265695abb92385ee4dcd35a5c00d4cb3d3155c75fb491' '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5' -'bc9e2f7e843a8fa87da0b1b40c7257cd92311f070fb255120c405ad257cff3ed' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e') export KBUILD_BUILD_HOST=archlinux
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Saturday, November 28, 2020 @ 15:29:13 Author: eworm Revision: 402361 upgpkg: linux-lts 5.4.80-2: fix oops on shutdown Added: linux-lts/trunk/0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch Modified: linux-lts/trunk/PKGBUILD ---+ 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch | 55 ++ PKGBUILD |4 2 files changed, 58 insertions(+), 1 deletion(-) Added: 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch === --- 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch (rev 0) +++ 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch 2020-11-28 15:29:13 UTC (rev 402361) @@ -0,0 +1,55 @@ +From a163474e9b86c2c25f20733385d8b1d6de492a7f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 25 Nov 2020 08:45:55 +0100 +Subject: efivarfs: revert "fix memory leak in efivarfs_create()" + +The memory leak addressed by commit fe5186cf12e3 is a false positive: +all allocations are recorded in a linked list, and freed when the +filesystem is unmounted. This leads to double frees, and as reported +by David, leads to crashes if SLUB is configured to self destruct when +double frees occur. + +So drop the redundant kfree() again, and instead, mark the offending +pointer variable so the allocation is ignored by kmemleak. + +Cc: Vamshi K Sthambamkadi +Fixes: fe5186cf12e3 ("efivarfs: fix memory leak in efivarfs_create()") +Reported-by: David Laight +Signed-off-by: Ard Biesheuvel +--- + fs/efivarfs/inode.c | 2 ++ + fs/efivarfs/super.c | 1 - + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c +index 96c0c86f3fff..0297ad95eb5c 100644 +--- a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -103,6 +104,7 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, + var->var.VariableName[i] = '\0'; + + inode->i_private = var; ++ kmemleak_ignore(var); + + err = efivar_entry_add(var, &efivarfs_list); + if (err) +diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c +index f943fd0b0699..15880a68faad 100644 +--- a/fs/efivarfs/super.c b/fs/efivarfs/super.c +@@ -21,7 +21,6 @@ LIST_HEAD(efivarfs_list); + static void efivarfs_evict_inode(struct inode *inode) + { + clear_inode(inode); +- kfree(inode->i_private); + } + + static const struct super_operations efivarfs_ops = { Modified: PKGBUILD === --- PKGBUILD2020-11-28 14:29:07 UTC (rev 402360) +++ PKGBUILD2020-11-28 15:29:13 UTC (rev 402361) @@ -2,7 +2,7 @@ pkgbase=linux-lts pkgver=5.4.80 -pkgrel=1 +pkgrel=2 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -18,6 +18,7 @@ config # the main kernel config file 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch + 0003-efivarfs-revert-fix-memory-leak-in-efivarfs_create.patch sphinx-workaround.patch ) validpgpkeys=( @@ -30,6 +31,7 @@ '760ec068a7a1d8e6d4af17c2a77bd0bcec6198ba31e003f6304313d43e3632a0' 'b439f57b84bc98730c0265695abb92385ee4dcd35a5c00d4cb3d3155c75fb491' '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5' +'bc9e2f7e843a8fa87da0b1b40c7257cd92311f070fb255120c405ad257cff3ed' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e') export KBUILD_BUILD_HOST=archlinux
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Tuesday, November 10, 2020 @ 15:16:54 Author: heftig Revision: 400070 5.4.76-1 Modified: linux-lts/trunk/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch linux-lts/trunk/PKGBUILD -+ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch |2 +- PKGBUILD|6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) Modified: 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch === --- 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 2020-11-10 15:14:54 UTC (rev 400069) +++ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 2020-11-10 15:16:54 UTC (rev 400070) @@ -40,7 +40,7 @@ bool "PID Namespaces" default y diff --git a/kernel/fork.c b/kernel/fork.c -index e3d5963d8c6f..26bca4170e37 100644 +index 419fff8eb9e5..70da21e5c06a 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -106,6 +106,11 @@ Modified: PKGBUILD === --- PKGBUILD2020-11-10 15:14:54 UTC (rev 400069) +++ PKGBUILD2020-11-10 15:16:54 UTC (rev 400070) @@ -1,7 +1,7 @@ # Maintainer: Andreas Radke pkgbase=linux-lts -pkgver=5.4.75 +pkgver=5.4.76 pkgrel=1 pkgdesc='LTS Linux' url="https://www.kernel.org/"; @@ -25,10 +25,10 @@ '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('d2466fd6eb5433e7bf287b617b11b2640c65a7ea93a57eb7a80d7f537cbc1470' +sha256sums=('6f565fd31af5e1df7520c88d36d61db0f14b8fd7cc77aeb6c9b7b2ac25bef7d2' 'SKIP' '760ec068a7a1d8e6d4af17c2a77bd0bcec6198ba31e003f6304313d43e3632a0' -'0160432bb1a8e695aac2b389852fb2fa0967b4e56633d3af21232d62292195c2' +'b439f57b84bc98730c0265695abb92385ee4dcd35a5c00d4cb3d3155c75fb491' '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e')
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Saturday, October 17, 2020 @ 14:41:35 Author: heftig Revision: 398503 5.4.72-1 Added: linux-lts/trunk/0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch Modified: linux-lts/trunk/PKGBUILD -+ 0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch | 70 ++ PKGBUILD|6 2 files changed, 74 insertions(+), 2 deletions(-) Added: 0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch === --- 0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch (rev 0) +++ 0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch 2020-10-17 14:41:35 UTC (rev 398503) @@ -0,0 +1,70 @@ +From Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 14 Oct 2020 16:41:58 +0200 +Subject: [PATCH] i2c: core: Restore acpi_walk_dep_device_list() getting called + after registering the ACPI i2c devs + +Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() +before i2c_acpi_register_devices()")'s intention was to only move the +acpi_install_address_space_handler() call to the point before where +the ACPI declared i2c-children of the adapter where instantiated by +i2c_acpi_register_devices(). + +But i2c_acpi_install_space_handler() had a call to +acpi_walk_dep_device_list() hidden (that is I missed it) at the end +of it, so as an unwanted side-effect now acpi_walk_dep_device_list() +was also being called before i2c_acpi_register_devices(). + +Move the acpi_walk_dep_device_list() call to the end of +i2c_acpi_register_devices(), so that it is once again called *after* +the i2c_client-s hanging of the adapter have been created. + +This fixes the Microsoft Surface Go 2 hanging at boot. + +Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") +Suggested-by: Maximilian Luz +Reported-and-tested-by: Kieran Bingham +Signed-off-by: Hans de Goede +--- + drivers/i2c/i2c-core-acpi.c | 11 ++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index ce70b5288472..c70983780ae7 100644 +--- a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +@@ -264,16 +264,26 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level, + void i2c_acpi_register_devices(struct i2c_adapter *adap) + { + acpi_status status; ++ acpi_handle handle; + + if (!has_acpi_companion(&adap->dev)) + return; + + status = acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_ROOT_OBJECT, +I2C_ACPI_MAX_SCAN_DEPTH, +i2c_acpi_add_device, NULL, +adap, NULL); + if (ACPI_FAILURE(status)) + dev_warn(&adap->dev, "failed to enumerate I2C slaves\n"); ++ ++ if (!adap->dev.parent) ++ return; ++ ++ handle = ACPI_HANDLE(adap->dev.parent); ++ if (!handle) ++ return; ++ ++ acpi_walk_dep_device_list(handle); + } + + const struct acpi_device_id * +@@ -737,7 +747,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter) + return -ENOMEM; + } + +- acpi_walk_dep_device_list(handle); + return 0; + } + Modified: PKGBUILD === --- PKGBUILD2020-10-17 13:36:18 UTC (rev 398502) +++ PKGBUILD2020-10-17 14:41:35 UTC (rev 398503) @@ -1,7 +1,7 @@ # Maintainer: Andreas Radke pkgbase=linux-lts -pkgver=5.4.71 +pkgver=5.4.72 pkgrel=1 pkgdesc='LTS Linux' url="https://www.kernel.org/"; @@ -18,6 +18,7 @@ config # the main kernel config file 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch + 0003-i2c-core-Restore-acpi_walk_dep_device_list-getting-c.patch sphinx-workaround.patch ) validpgpkeys=( @@ -25,11 +26,12 @@ '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('737049ef3cf38d46ee3b377354336cdbc1c4dd95b4e54975a70716f96c8d6cc7' +sha256sums=('0e24645bd56fe5b55a7a662895f5562c103d71b54d097281f0c9c71ff22c1172' 'SKIP' '6a2ee8f822810f594921aa85087e4cf0a17c68518d395586fd9c56b6c7e63dad' '0279e6c1a7f233110393995eccca1371edf11680fa5d6b8916dcb9ce098fb7fb' '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5' +'f1e849d9e0cd07d527f60fed5aebbb76d7dd0c77a504786f4d0d09c20445f8f1' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e') export KBUILD_BUILD_HOST=archlinux
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, October 1, 2020 @ 21:58:20 Author: heftig Revision: 397059 5.4.69-1 Modified: linux-lts/trunk/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch linux-lts/trunk/PKGBUILD -+ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch |6 +++--- PKGBUILD|6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) Modified: 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch === --- 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 2020-10-01 21:50:35 UTC (rev 397058) +++ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 2020-10-01 21:58:20 UTC (rev 397059) @@ -40,7 +40,7 @@ bool "PID Namespaces" default y diff --git a/kernel/fork.c b/kernel/fork.c -index 9180f4416dba..a02f83b1d9b4 100644 +index 594272569a80..96a55931654c 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -106,6 +106,11 @@ @@ -55,7 +55,7 @@ /* * Minimum number of threads to boot the kernel -@@ -1779,6 +1784,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1780,6 +1785,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -66,7 +66,7 @@ /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2837,6 +2846,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2838,6 +2847,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; Modified: PKGBUILD === --- PKGBUILD2020-10-01 21:50:35 UTC (rev 397058) +++ PKGBUILD2020-10-01 21:58:20 UTC (rev 397059) @@ -1,7 +1,7 @@ # Maintainer: Andreas Radke pkgbase=linux-lts -pkgver=5.4.68 +pkgver=5.4.69 pkgrel=1 pkgdesc='LTS Linux' url="https://www.kernel.org/"; @@ -25,10 +25,10 @@ '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('0e93876c5ae8dc0c55cbe631971a46ab02b90cf7461fed3085703a5e4e3cd6dd' +sha256sums=('a8b31d716b397303a183e42ad525ff2871024a43e3ea530d0fdf73b7f9d27da7' 'SKIP' '6a2ee8f822810f594921aa85087e4cf0a17c68518d395586fd9c56b6c7e63dad' -'b3f2777462517abd75039fc56a63dfa3f5eb6b3865e02fe9e0c3512381eed54b' +'0279e6c1a7f233110393995eccca1371edf11680fa5d6b8916dcb9ce098fb7fb' '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e')
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Wednesday, July 22, 2020 @ 20:52:28 Author: heftig Revision: 392391 5.4.53-1 Modified: linux-lts/trunk/0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch linux-lts/trunk/PKGBUILD -+ 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch | 116 +- PKGBUILD|6 2 files changed, 15 insertions(+), 107 deletions(-) Modified: 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch === --- 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch 2020-07-22 20:52:26 UTC (rev 392390) +++ 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch 2020-07-22 20:52:28 UTC (rev 392391) @@ -135,18 +135,16 @@ Reviewed-by: Arnd Bergmann Signed-off-by: Hans de Goede --- - drivers/virt/vboxguest/vboxguest_core.c | 272 +++ - drivers/virt/vboxguest/vboxguest_core.h | 38 +++- - drivers/virt/vboxguest/vboxguest_linux.c | 3 +- + drivers/virt/vboxguest/vboxguest_core.c | 266 +++ + drivers/virt/vboxguest/vboxguest_core.h | 23 +- drivers/virt/vboxguest/vboxguest_utils.c | 1 + - drivers/virt/vboxguest/vmmdev.h | 2 + include/linux/vbox_utils.h | 1 + include/uapi/linux/vbox_vmmdev_types.h | 3 + - include/uapi/linux/vboxguest.h | 28 ++- - 8 files changed, 294 insertions(+), 54 deletions(-) + include/uapi/linux/vboxguest.h | 24 ++ + 6 files changed, 269 insertions(+), 49 deletions(-) diff --git a/drivers/virt/vboxguest/vboxguest_core.c b/drivers/virt/vboxguest/vboxguest_core.c -index 2307b0329aec..f449fc366cf3 100644 +index 95bfdb8ac8a2..f449fc366cf3 100644 --- a/drivers/virt/vboxguest/vboxguest_core.c +++ b/drivers/virt/vboxguest/vboxguest_core.c @@ -558,7 +558,7 @@ static int vbg_reset_host_event_filter(struct vbg_dev *gdev, @@ -516,8 +514,7 @@ or_mask = caps->u.in.or_mask; not_mask = caps->u.in.not_mask; -- if ((or_mask | not_mask) & ~VMMDEV_EVENT_VALID_EVENT_MASK) -+ if ((or_mask | not_mask) & ~VMMDEV_GUEST_CAPABILITIES_MASK) + if ((or_mask | not_mask) & ~VMMDEV_GUEST_CAPABILITIES_MASK) return -EINVAL; ret = vbg_set_session_capabilities(gdev, session, or_mask, not_mask, @@ -530,29 +527,7 @@ caps->u.out.global_caps = gdev->guest_caps_host; return 0; -@@ -1519,48 +1693,52 @@ int vbg_core_ioctl(struct vbg_session *session, unsigned int req, void *data) - - /* For VMMDEV_REQUEST hdr->type != VBG_IOCTL_HDR_TYPE_DEFAULT */ - if (req_no_size == VBG_IOCTL_VMMDEV_REQUEST(0) || -- req == VBG_IOCTL_VMMDEV_REQUEST_BIG) -+ req == VBG_IOCTL_VMMDEV_REQUEST_BIG || -+ req == VBG_IOCTL_VMMDEV_REQUEST_BIG_ALT) - return vbg_ioctl_vmmrequest(gdev, session, data); - - if (hdr->type != VBG_IOCTL_HDR_TYPE_DEFAULT) - return -EINVAL; - - /* Fixed size requests. */ - switch (req) { - case VBG_IOCTL_DRIVER_VERSION_INFO: - return vbg_ioctl_driver_version_info(data); - case VBG_IOCTL_HGCM_CONNECT: - return vbg_ioctl_hgcm_connect(gdev, session, data); - case VBG_IOCTL_HGCM_DISCONNECT: - return vbg_ioctl_hgcm_disconnect(gdev, session, data); - case VBG_IOCTL_WAIT_FOR_EVENTS: - return vbg_ioctl_wait_for_events(gdev, session, data); - case VBG_IOCTL_INTERRUPT_ALL_WAIT_FOR_EVENTS: +@@ -1540,29 +1714,31 @@ int vbg_core_ioctl(struct vbg_session *session, unsigned int req, void *data) return vbg_ioctl_interrupt_all_wait_events(gdev, session, data); case VBG_IOCTL_CHANGE_FILTER_MASK: return vbg_ioctl_change_filter_mask(gdev, session, data); @@ -576,7 +551,7 @@ case VBG_IOCTL_HGCM_CALL(0): return vbg_ioctl_hgcm_call(gdev, session, f32bit, data); case VBG_IOCTL_LOG(0): -+ case VBG_IOCTL_LOG_ALT(0): + case VBG_IOCTL_LOG_ALT(0): return vbg_ioctl_log(data); } @@ -586,32 +561,10 @@ } diff --git a/drivers/virt/vboxguest/vboxguest_core.h b/drivers/virt/vboxguest/vboxguest_core.h -index 4188c12b839f..ab4bf64e2cec 100644 +index 77c3a9c8255d..ab4bf64e2cec 100644 --- a/drivers/virt/vboxguest/vboxguest_core.h +++ b/drivers/virt/vboxguest/vboxguest_core.h -@@ -15,6 +15,21 @@ - #include - #include "vmmdev.h" - -+/* -+ * The mainline kernel version (this version) of the vboxguest module -+ * contained a bug where it defined VBGL_IOCTL_VMMDEV_REQUEST_BIG and -+ * VBGL_IOCTL_LOG using _IOC(_IOC_READ | _IOC_WRITE, 'V', ...) instead -+ * of _IO(V, ...) as the out of tree VirtualBox upstream version does. -+ * -+ * These _ALT definitions keep compatibility with the wrong defines the -+ * mainline kernel version used for a whil
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Friday, May 8, 2020 @ 21:32:08 Author: heftig Revision: 382812 5.4.39-2: GCC 10 Added: linux-lts/trunk/0001-gcc-common.h-Update-for-GCC-10.patch Modified: linux-lts/trunk/PKGBUILD ---+ 0001-gcc-common.h-Update-for-GCC-10.patch | 92 PKGBUILD |4 - 2 files changed, 95 insertions(+), 1 deletion(-) Added: 0001-gcc-common.h-Update-for-GCC-10.patch === --- 0001-gcc-common.h-Update-for-GCC-10.patch (rev 0) +++ 0001-gcc-common.h-Update-for-GCC-10.patch 2020-05-08 21:32:08 UTC (rev 382812) @@ -0,0 +1,92 @@ +From 1a84040203e73d1bccfdb99aed98042efe3ecd16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= + +Date: Tue, 7 Apr 2020 13:32:59 +0200 +Subject: [PATCH] gcc-common.h: Update for GCC 10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove "params.h" include, which has been dropped in GCC 10. + +Remove is_a_helper() macro, which is now defined in gimple.h, as seen +when running './scripts/gcc-plugin.sh g++ g++ gcc': + +In file included from :1: +./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ + 852 | inline bool is_a_helper::test(const_gimple gs) + | ^~ +In file included from ./gcc-plugins/gcc-common.h:125, + from :1: +/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here + 1037 | is_a_helper ::test (const gimple *gs) + | ^~~ + +Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid +meaningless warnings from error() formats used by plugins: + +scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’: +scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag] + 253 | error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + |^ + +Signed-off-by: Frédéric Pierret (fepitre) +Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pier...@qubes-os.org +[kees: include -Wno-format-diag for plugin builds] +Signed-off-by: Kees Cook +--- + scripts/gcc-plugins/Makefile | 1 + + scripts/gcc-plugins/gcc-common.h | 4 + 2 files changed, 5 insertions(+) + +diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile +index aa0d0ec6936d..9e95862f2788 100644 +--- a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile +@@ -11,6 +11,7 @@ else + HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti + HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb + HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable ++ HOST_EXTRACXXFLAGS += -Wno-format-diag + export HOST_EXTRACXXFLAGS + endif + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 17f06079a712..9ad76b7f3f10 100644 +--- a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +@@ -35,7 +35,9 @@ + #include "ggc.h" + #include "timevar.h" + ++#if BUILDING_GCC_VERSION < 1 + #include "params.h" ++#endif + + #if BUILDING_GCC_VERSION <= 4009 + #include "pointer-set.h" +@@ -847,19 +849,21 @@ static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree l + return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT); + } + ++#if BUILDING_GCC_VERSION < 1 + template <> + template <> + inline bool is_a_helper::test(const_gimple gs) + { + return gs->code == GIMPLE_GOTO; + } + + template <> + template <> + inline bool is_a_helper::test(const_gimple gs) + { + return gs->code == GIMPLE_RETURN; + } ++#endif + + static inline gasm *as_a_gasm(gimple stmt) + { +-- +2.26.2 + Modified: PKGBUILD === --- PKGBUILD2020-05-08 21:20:02 UTC (rev 382811) +++ PKGBUILD2020-05-08 21:32:08 UTC (rev 382812) @@ -2,7 +2,7 @@ pkgbase=linux-lts pkgver=5.4.39 -pkgrel=1 +pkgrel=2 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -17,6 +17,7 @@ https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign} config # the main kernel config file 0001-add-sysctl-and-CONFIG-for-unprivileged_userns_clone.patch + 0001-gcc-common.h-Update-for-GCC-10.patch sphinx-workaround.patch ) validpgpkeys=( @@ -28,6 +29,7 @@ 'SKIP' '8b202067f6f0adbe2f8d4290624005f4fa1fff32aaa42f979c9ab03f6b74b62f' 'a13581d3c6dc595206e4fe
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Sunday, April 19, 2020 @ 13:52:10 Author: heftig Revision: 380548 5.4.33-3 Added: linux-lts/trunk/drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch Modified: linux-lts/trunk/PKGBUILD -+ PKGBUILD|8 +- drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch | 37 ++ 2 files changed, 43 insertions(+), 2 deletions(-) Modified: PKGBUILD === --- PKGBUILD2020-04-19 13:52:04 UTC (rev 380547) +++ PKGBUILD2020-04-19 13:52:10 UTC (rev 380548) @@ -2,7 +2,7 @@ pkgbase=linux-lts pkgver=5.4.33 -pkgrel=2 +pkgrel=3 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -18,7 +18,10 @@ config # the main kernel config file 0001-add-sysctl-and-CONFIG-for-unprivileged_userns_clone.patch sphinx-workaround.patch + + # From stable-queue revert-acpi-ec-do-not-clear-boot_ec_is_ecdt-in-acpi_ec_add.patch + drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -30,7 +33,8 @@ '8b202067f6f0adbe2f8d4290624005f4fa1fff32aaa42f979c9ab03f6b74b62f' 'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2' 'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e' -'9fd93b899e03accd31ab357a70e538220c424ce8769e63a8b961fa627ab27c0a') +'9fd93b899e03accd31ab357a70e538220c424ce8769e63a8b961fa627ab27c0a' +'3015cbbcd0527bef418c45febed7b18a97e1783901ecf9b3693024a9ee867138') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase Added: drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch === --- drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch (rev 0) +++ drm-amdgpu-fix-the-hw-hang-during-perform-system-reboot-and-reset.patch 2020-04-19 13:52:10 UTC (rev 380548) @@ -0,0 +1,37 @@ +From b2a7e9735ab2864330be9d00d7f38c961c28de5d Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Mon, 13 Apr 2020 21:41:14 +0800 +Subject: drm/amdgpu: fix the hw hang during perform system reboot and reset + +From: Prike Liang + +commit b2a7e9735ab2864330be9d00d7f38c961c28de5d upstream. + +The system reboot failed as some IP blocks enter power gate before perform +hw resource destory. Meanwhile use unify interface to set device CGPG to ungate +state can simplify the amdgpu poweroff or reset ungate guard. + +Fixes: 487eca11a321ef ("drm/amdgpu: fix gfx hang during suspend with video playback (v2)") +Signed-off-by: Prike Liang +Tested-by: Mengbing Wang +Tested-by: Paul Menzel +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: sta...@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c |2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2176,6 +2176,8 @@ static int amdgpu_device_ip_suspend_phas + { + int i, r; + ++ amdgpu_device_set_pg_state(adev, AMD_PG_STATE_UNGATE); ++ amdgpu_device_set_cg_state(adev, AMD_CG_STATE_UNGATE); + + for (i = adev->num_ip_blocks - 1; i >= 0; i--) { + if (!adev->ip_blocks[i].status.valid)
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, April 2, 2020 @ 14:59:04 Author: andyrtr Revision: 379137 upgpkg: linux-lts 5.4.30-1: upstream update 5.4.30 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch -+ 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch | 68 -- PKGBUILD| 10 - 2 files changed, 4 insertions(+), 74 deletions(-) Deleted: 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch === --- 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch 2020-04-02 11:30:23 UTC (rev 379136) +++ 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch 2020-04-02 14:59:04 UTC (rev 379137) @@ -1,68 +0,0 @@ -From 6f2896ad2981c70be7caf0e44e0adc25f76d9937 Mon Sep 17 00:00:00 2001 -From: Levente Polyak -Date: Mon, 30 Mar 2020 20:42:07 +0200 -Subject: [PATCH] CVE-2020-8835: Revert "bpf: Provide better register bounds - after jmp32 instructions" - -This reverts commit b4de258dede528f88f401259aab3147fb6da1ddf which is a -backport of 581738a681b6. - -Manfred Paul, as part of the ZDI pwn2own competition, demonstrated -that a flaw existed in the bpf verifier for 32bit operations. This -was introduced in commit: - - 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") - -The result is that register bounds were improperly calculated, -allowing out-of-bounds reads and writes to occur. - kernel/bpf/verifier.c | 19 --- - 1 file changed, 19 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index b2817d0929b3..a0b76b360d6f 100644 a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -979,17 +979,6 @@ static void __reg_bound_offset(struct bpf_reg_state *reg) -reg->umax_value)); - } - --static void __reg_bound_offset32(struct bpf_reg_state *reg) --{ -- u64 mask = 0x; -- struct tnum range = tnum_range(reg->umin_value & mask, -- reg->umax_value & mask); -- struct tnum lo32 = tnum_cast(reg->var_off, 4); -- struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32); -- -- reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range)); --} -- - /* Reset the min/max bounds of a register */ - static void __mark_reg_unbounded(struct bpf_reg_state *reg) - { -@@ -5452,10 +5441,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - /* We might have learned some bits from the bounds. */ - __reg_bound_offset(false_reg); - __reg_bound_offset(true_reg); -- if (is_jmp32) { -- __reg_bound_offset32(false_reg); -- __reg_bound_offset32(true_reg); -- } - /* Intersecting with the old var_off might have improved our bounds -* slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), -* then new var_off is (0; 0x7f...fc) which improves our umax. -@@ -5565,10 +5550,6 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - /* We might have learned some bits from the bounds. */ - __reg_bound_offset(false_reg); - __reg_bound_offset(true_reg); -- if (is_jmp32) { -- __reg_bound_offset32(false_reg); -- __reg_bound_offset32(true_reg); -- } - /* Intersecting with the old var_off might have improved our bounds -* slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), -* then new var_off is (0; 0x7f...fc) which improves our umax. --- -2.26.0 - Modified: PKGBUILD === --- PKGBUILD2020-04-02 11:30:23 UTC (rev 379136) +++ PKGBUILD2020-04-02 14:59:04 UTC (rev 379137) @@ -1,8 +1,8 @@ # Maintainer: Andreas Radke pkgbase=linux-lts -pkgver=5.4.28 -pkgrel=2 +pkgver=5.4.30 +pkgrel=1 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -17,7 +17,6 @@ https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign} config # the main kernel config file 0001-add-sysctl-and-CONFIG-for-unprivileged_userns_clone.patch - 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -24,11 +23,10 @@ '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('c863cc1346348f9a40083b4bc0d34375117b1c401af920994d42e855653ef7a4' +sha256sums=('11dd78f701bce619d90d3b2ee597601716c48087e159c890c1decd7b90349def' 'SKIP' '7a58467b4cf628306a0048993f43508e5da39d8495801602b25b035372651697' -'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2' -
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Monday, March 30, 2020 @ 20:37:19 Author: anthraxx Revision: 378766 upgpkg: linux-lts 5.4.28-2: CVE-2020-8835 Added: linux-lts/trunk/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch Modified: linux-lts/trunk/PKGBUILD -+ 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch | 68 ++ PKGBUILD|6 2 files changed, 72 insertions(+), 2 deletions(-) Added: 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch === --- 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch (rev 0) +++ 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch 2020-03-30 20:37:19 UTC (rev 378766) @@ -0,0 +1,68 @@ +From 6f2896ad2981c70be7caf0e44e0adc25f76d9937 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Mon, 30 Mar 2020 20:42:07 +0200 +Subject: [PATCH] CVE-2020-8835: Revert "bpf: Provide better register bounds + after jmp32 instructions" + +This reverts commit b4de258dede528f88f401259aab3147fb6da1ddf which is a +backport of 581738a681b6. + +Manfred Paul, as part of the ZDI pwn2own competition, demonstrated +that a flaw existed in the bpf verifier for 32bit operations. This +was introduced in commit: + + 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") + +The result is that register bounds were improperly calculated, +allowing out-of-bounds reads and writes to occur. +--- + kernel/bpf/verifier.c | 19 --- + 1 file changed, 19 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index b2817d0929b3..a0b76b360d6f 100644 +--- a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +@@ -979,17 +979,6 @@ static void __reg_bound_offset(struct bpf_reg_state *reg) +reg->umax_value)); + } + +-static void __reg_bound_offset32(struct bpf_reg_state *reg) +-{ +- u64 mask = 0x; +- struct tnum range = tnum_range(reg->umin_value & mask, +- reg->umax_value & mask); +- struct tnum lo32 = tnum_cast(reg->var_off, 4); +- struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32); +- +- reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range)); +-} +- + /* Reset the min/max bounds of a register */ + static void __mark_reg_unbounded(struct bpf_reg_state *reg) + { +@@ -5452,10 +5441,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, + /* We might have learned some bits from the bounds. */ + __reg_bound_offset(false_reg); + __reg_bound_offset(true_reg); +- if (is_jmp32) { +- __reg_bound_offset32(false_reg); +- __reg_bound_offset32(true_reg); +- } + /* Intersecting with the old var_off might have improved our bounds +* slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), +* then new var_off is (0; 0x7f...fc) which improves our umax. +@@ -5565,10 +5550,6 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, + /* We might have learned some bits from the bounds. */ + __reg_bound_offset(false_reg); + __reg_bound_offset(true_reg); +- if (is_jmp32) { +- __reg_bound_offset32(false_reg); +- __reg_bound_offset32(true_reg); +- } + /* Intersecting with the old var_off might have improved our bounds +* slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), +* then new var_off is (0; 0x7f...fc) which improves our umax. +-- +2.26.0 + Modified: PKGBUILD === --- PKGBUILD2020-03-30 19:22:34 UTC (rev 378765) +++ PKGBUILD2020-03-30 20:37:19 UTC (rev 378766) @@ -2,7 +2,7 @@ pkgbase=linux-lts pkgver=5.4.28 -pkgrel=1 +pkgrel=2 pkgdesc='LTS Linux' url="https://www.kernel.org/"; arch=(x86_64) @@ -17,6 +17,7 @@ https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign} config # the main kernel config file 0001-add-sysctl-and-CONFIG-for-unprivileged_userns_clone.patch + 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -26,7 +27,8 @@ sha256sums=('c863cc1346348f9a40083b4bc0d34375117b1c401af920994d42e855653ef7a4' 'SKIP' '7a58467b4cf628306a0048993f43508e5da39d8495801602b25b035372651697' -'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2') +'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2' +'c6d203cb728fbe70f8bd60c9448f0cbcb36d8b535fc1cdd59bda4a26ead303bf') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, October 12, 2017 @ 21:17:38 Author: andyrtr Revision: 307803 upgpkg: linux-lts 4.9.56-1 upstream update 4.9.56 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/socket_bpf_fix_possible_use_after_free.diff -+ PKGBUILD| 14 +--- socket_bpf_fix_possible_use_after_free.diff | 91 -- 2 files changed, 4 insertions(+), 101 deletions(-) Modified: PKGBUILD === --- PKGBUILD2017-10-12 21:10:32 UTC (rev 307802) +++ PKGBUILD2017-10-12 21:17:38 UTC (rev 307803) @@ -4,7 +4,7 @@ pkgbase=linux-lts #pkgbase=linux-lts-custom _srcname=linux-4.9 -pkgver=4.9.55 +pkgver=4.9.56 pkgrel=1 arch=('i686' 'x86_64') url="https://www.kernel.org/"; @@ -19,19 +19,17 @@ '90-linux.hook' # standard config files for mkinitcpio ramdisk linux-lts.preset -change-default-console-loglevel.patch -socket_bpf_fix_possible_use_after_free.diff) +change-default-console-loglevel.patch) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a' 'SKIP' -'358191624dd7004bfc7a8658b6354d9da4d49eb8ef84af41d2dc63dd1a8c4d1a' +'a63aacf1f75a2f02a1313658b7f86be922b7a0e4bab41dc377449dfc0b7c529f' 'SKIP' '6ee48ebd5cf5a6f1a8ab3bb8b00956345b2b2bab3b1238a90d0de09745c502ec' '1bec2ba1cd21b26234caf33cca737259797430d4fe5fade16e60480a9442a6e0' '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' -'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'f6a5db4ef1580922ffd0e2d080a8a6ba9b97e270f8373f09c4675241447d6af6') +'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -47,10 +45,6 @@ # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git - # fix broken network reverting upstream commit - # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=02f7e4101092b88e57c73171174976c8a72a3eba - patch -Rp1 -i ../socket_bpf_fix_possible_use_after_free.diff - # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) Deleted: socket_bpf_fix_possible_use_after_free.diff === --- socket_bpf_fix_possible_use_after_free.diff 2017-10-12 21:10:32 UTC (rev 307802) +++ socket_bpf_fix_possible_use_after_free.diff 2017-10-12 21:17:38 UTC (rev 307803) @@ -1,91 +0,0 @@ -From 02f7e4101092b88e57c73171174976c8a72a3eba Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Mon, 2 Oct 2017 12:20:51 -0700 -Subject: socket, bpf: fix possible use after free - -[ Upstream commit eefca20eb20c66b06cf5ed09b49b1a7caaa27b7b ] - -Starting from linux-4.4, 3WHS no longer takes the listener lock. - -Since this time, we might hit a use-after-free in sk_filter_charge(), -if the filter we got in the memcpy() of the listener content -just happened to be replaced by a thread changing listener BPF filter. - -To fix this, we need to make sure the filter refcount is not already -zero before incrementing it again. - -Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") -Signed-off-by: Eric Dumazet -Acked-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman - net/core/filter.c | 15 +-- - net/core/sock.c | 5 - - 2 files changed, 17 insertions(+), 3 deletions(-) - -diff --git a/net/core/filter.c b/net/core/filter.c -index 4eb4ce0..bfeedbb 100644 a/net/core/filter.c -+++ b/net/core/filter.c -@@ -937,20 +937,31 @@ void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) - /* try to charge the socket memory if there is space available - * return true on success - */ --bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) -+static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) - { - u32 filter_size = bpf_prog_size(fp->prog->len); - - /* same check as in sock_kmalloc() */ - if (filter_size <= sysctl_optmem_max && - atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { -- atomic_inc(&fp->refcnt); - atomic_add(filter_size, &sk->sk_omem_alloc); - return true;
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, October 12, 2017 @ 19:09:07 Author: andyrtr Revision: 307785 upgpkg: linux-lts 4.9.55-1 upstream update 4.8.55 - revert one commit that breaks network (dhcp) Added: linux-lts/trunk/socket_bpf_fix_possible_use_after_free.diff Modified: linux-lts/trunk/PKGBUILD -+ PKGBUILD| 12 ++- socket_bpf_fix_possible_use_after_free.diff | 91 ++ 2 files changed, 100 insertions(+), 3 deletions(-) Modified: PKGBUILD === --- PKGBUILD2017-10-12 18:50:22 UTC (rev 307784) +++ PKGBUILD2017-10-12 19:09:07 UTC (rev 307785) @@ -9,7 +9,7 @@ arch=('i686' 'x86_64') url="https://www.kernel.org/"; license=('GPL2') -makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc' 'libelf') +makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc' 'libelf' 'git') options=('!strip') source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.{xz,sign} https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.{xz,sign} @@ -19,7 +19,8 @@ '90-linux.hook' # standard config files for mkinitcpio ramdisk linux-lts.preset -change-default-console-loglevel.patch) +change-default-console-loglevel.patch +socket_bpf_fix_possible_use_after_free.diff) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a' 'SKIP' @@ -29,7 +30,8 @@ '1bec2ba1cd21b26234caf33cca737259797430d4fe5fade16e60480a9442a6e0' '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' -'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') +'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' +'f6a5db4ef1580922ffd0e2d080a8a6ba9b97e270f8373f09c4675241447d6af6') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -45,6 +47,10 @@ # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git + # fix broken network reverting upstream commit + # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=02f7e4101092b88e57c73171174976c8a72a3eba + patch -Rp1 -i ../socket_bpf_fix_possible_use_after_free.diff + # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) Added: socket_bpf_fix_possible_use_after_free.diff === --- socket_bpf_fix_possible_use_after_free.diff (rev 0) +++ socket_bpf_fix_possible_use_after_free.diff 2017-10-12 19:09:07 UTC (rev 307785) @@ -0,0 +1,91 @@ +From 02f7e4101092b88e57c73171174976c8a72a3eba Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 2 Oct 2017 12:20:51 -0700 +Subject: socket, bpf: fix possible use after free + +[ Upstream commit eefca20eb20c66b06cf5ed09b49b1a7caaa27b7b ] + +Starting from linux-4.4, 3WHS no longer takes the listener lock. + +Since this time, we might hit a use-after-free in sk_filter_charge(), +if the filter we got in the memcpy() of the listener content +just happened to be replaced by a thread changing listener BPF filter. + +To fix this, we need to make sure the filter refcount is not already +zero before incrementing it again. + +Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") +Signed-off-by: Eric Dumazet +Acked-by: Alexei Starovoitov +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 15 +-- + net/core/sock.c | 5 - + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 4eb4ce0..bfeedbb 100644 +--- a/net/core/filter.c b/net/core/filter.c +@@ -937,20 +937,31 @@ void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) + /* try to charge the socket memory if there is space available + * return true on success + */ +-bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) ++static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) + { + u32 filter_size = bpf_prog_size(fp->prog->len); + + /* same check as in sock_kmalloc() */ + if (filter_size <= sysctl_optmem_max && + atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { +- atomic_inc(&fp->refcnt); + atomic_add(filter_size, &sk->sk_omem_alloc)
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Wednesday, March 15, 2017 @ 15:03:01 Author: andyrtr Revision: 290878 upgpkg: linux-lts 4.9.15-1 upstream update 4.9.15 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch ---+ 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch | 311 PKGBUILD | 13 2 files changed, 4 insertions(+), 320 deletions(-) Deleted: 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch === --- 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch 2017-03-15 14:23:40 UTC (rev 290877) +++ 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch 2017-03-15 15:03:01 UTC (rev 290878) @@ -1,311 +0,0 @@ ->From 1dea7a8061ad9212f4464464a80d0dcd477eceab Mon Sep 17 00:00:00 2001 -From: Alexander Popov -Date: Tue, 28 Feb 2017 19:28:54 +0300 -Subject: [PATCH 1/1] tty: n_hdlc: get rid of racy n_hdlc.tbuf - -Currently N_HDLC line discipline uses a self-made singly linked list for -data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after -an error. - -The commit be10eb7589337e5defbe214dae038a53dd21add8 -("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. -After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put -one data buffer to tx_free_buf_list twice. That causes double free in -n_hdlc_release(). - -Let's use standard kernel linked list and get rid of n_hdlc.tbuf: -in case of tx error put current data buffer after the head of tx_buf_list. - -Signed-off-by: Alexander Popov - drivers/tty/n_hdlc.c | 132 +++ - 1 file changed, 69 insertions(+), 63 deletions(-) - -diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c -index eb27883..728c824 100644 a/drivers/tty/n_hdlc.c -+++ b/drivers/tty/n_hdlc.c -@@ -114,7 +114,7 @@ - #define DEFAULT_TX_BUF_COUNT 3 - - struct n_hdlc_buf { -- struct n_hdlc_buf *link; -+ struct list_head list_item; - int count; - char buf[1]; - }; -@@ -122,8 +122,7 @@ struct n_hdlc_buf { - #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) - - struct n_hdlc_buf_list { -- struct n_hdlc_buf *head; -- struct n_hdlc_buf *tail; -+ struct list_head list; - int count; - spinlock_tspinlock; - }; -@@ -136,7 +135,6 @@ struct n_hdlc_buf_list { - * @backup_tty - TTY to use if tty gets closed - * @tbusy - reentrancy flag for tx wakeup code - * @woke_up - FIXME: describe this field -- * @tbuf - currently transmitting tx buffer - * @tx_buf_list - list of pending transmit frame buffers - * @rx_buf_list - list of received frame buffers - * @tx_free_buf_list - list unused transmit frame buffers -@@ -149,7 +147,6 @@ struct n_hdlc { - struct tty_struct *backup_tty; - int tbusy; - int woke_up; -- struct n_hdlc_buf *tbuf; - struct n_hdlc_buf_list tx_buf_list; - struct n_hdlc_buf_list rx_buf_list; - struct n_hdlc_buf_list tx_free_buf_list; -@@ -159,6 +156,8 @@ struct n_hdlc { - /* - * HDLC buffer list manipulation functions - */ -+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list, -+ struct n_hdlc_buf *buf); - static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, - struct n_hdlc_buf *buf); - static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); -@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty) - { - struct n_hdlc *n_hdlc = tty2n_hdlc(tty); - struct n_hdlc_buf *buf; -- unsigned long flags; - - while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list))) - n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf); -- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags); -- if (n_hdlc->tbuf) { -- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf); -- n_hdlc->tbuf = NULL; -- } -- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); - } - - static struct tty_ldisc_ops n_hdlc_ldisc = { -@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc) - } else - break; - } -- kfree(n_hdlc->tbuf); - kfree(n_hdlc); - - } /* end of n_hdlc_release() */ -@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) - n_hdlc->woke_up = 0; - spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); - -- /* get current transmit buffer or get new transmit */ -- /* buffer from list of pending transmit buffers */ -- -- tbuf = n_hdlc->tbuf; -- if (!tbuf) -- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list); --
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Sunday, March 12, 2017 @ 13:15:19 Author: andyrtr Revision: 290674 upgpkg: linux-lts 4.9.14-1 upstream update 4.9.14; apply fix for CVE-2017-2636 Added: linux-lts/trunk/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch Modified: linux-lts/trunk/PKGBUILD ---+ 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch | 311 PKGBUILD | 13 2 files changed, 320 insertions(+), 4 deletions(-) Added: 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch === --- 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch (rev 0) +++ 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch 2017-03-12 13:15:19 UTC (rev 290674) @@ -0,0 +1,311 @@ +>From 1dea7a8061ad9212f4464464a80d0dcd477eceab Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Tue, 28 Feb 2017 19:28:54 +0300 +Subject: [PATCH 1/1] tty: n_hdlc: get rid of racy n_hdlc.tbuf + +Currently N_HDLC line discipline uses a self-made singly linked list for +data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after +an error. + +The commit be10eb7589337e5defbe214dae038a53dd21add8 +("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. +After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put +one data buffer to tx_free_buf_list twice. That causes double free in +n_hdlc_release(). + +Let's use standard kernel linked list and get rid of n_hdlc.tbuf: +in case of tx error put current data buffer after the head of tx_buf_list. + +Signed-off-by: Alexander Popov +--- + drivers/tty/n_hdlc.c | 132 +++ + 1 file changed, 69 insertions(+), 63 deletions(-) + +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +index eb27883..728c824 100644 +--- a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +@@ -114,7 +114,7 @@ + #define DEFAULT_TX_BUF_COUNT 3 + + struct n_hdlc_buf { +- struct n_hdlc_buf *link; ++ struct list_head list_item; + int count; + char buf[1]; + }; +@@ -122,8 +122,7 @@ struct n_hdlc_buf { + #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) + + struct n_hdlc_buf_list { +- struct n_hdlc_buf *head; +- struct n_hdlc_buf *tail; ++ struct list_head list; + int count; + spinlock_tspinlock; + }; +@@ -136,7 +135,6 @@ struct n_hdlc_buf_list { + * @backup_tty - TTY to use if tty gets closed + * @tbusy - reentrancy flag for tx wakeup code + * @woke_up - FIXME: describe this field +- * @tbuf - currently transmitting tx buffer + * @tx_buf_list - list of pending transmit frame buffers + * @rx_buf_list - list of received frame buffers + * @tx_free_buf_list - list unused transmit frame buffers +@@ -149,7 +147,6 @@ struct n_hdlc { + struct tty_struct *backup_tty; + int tbusy; + int woke_up; +- struct n_hdlc_buf *tbuf; + struct n_hdlc_buf_list tx_buf_list; + struct n_hdlc_buf_list rx_buf_list; + struct n_hdlc_buf_list tx_free_buf_list; +@@ -159,6 +156,8 @@ struct n_hdlc { + /* + * HDLC buffer list manipulation functions + */ ++static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list, ++ struct n_hdlc_buf *buf); + static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, + struct n_hdlc_buf *buf); + static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); +@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty) + { + struct n_hdlc *n_hdlc = tty2n_hdlc(tty); + struct n_hdlc_buf *buf; +- unsigned long flags; + + while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list))) + n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf); +- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags); +- if (n_hdlc->tbuf) { +- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf); +- n_hdlc->tbuf = NULL; +- } +- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); + } + + static struct tty_ldisc_ops n_hdlc_ldisc = { +@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc) + } else + break; + } +- kfree(n_hdlc->tbuf); + kfree(n_hdlc); + + } /* end of n_hdlc_release() */ +@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) + n_hdlc->woke_up = 0; + spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); + +- /* get current transmit buffer or get new transmit */ +- /* buffer from list of pending transmit buffers */ +- +- tbuf = n_hdlc->tbuf; +- if (!tbuf) +- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Sunday, February 26, 2017 @ 21:24:48 Author: andyrtr Revision: 289571 upgpkg: linux-lts 4.4.52-1 upstream update 4.4.52 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch + 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 -- PKGBUILD | 13 -- 2 files changed, 4 insertions(+), 56 deletions(-) Deleted: 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch === --- 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch 2017-02-26 21:10:33 UTC (rev 289570) +++ 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch 2017-02-26 21:24:48 UTC (rev 289571) @@ -1,47 +0,0 @@ -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba347184bda9b3fe..8fedc2d497709b3d 100644 a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -2.11.1 - Modified: PKGBUILD === --- PKGBUILD2017-02-26 21:10:33 UTC (rev 289570) +++ PKGBUILD2017-02-26 21:24:48 UTC (rev 289571) @@ -4,7 +4,7 @@ pkgbase=linux-lts #pkgbase=linux-lts-custom _srcname=linux-4.4 -pkgver=4.4.51 +pkgver=4.4.52 pkgrel=1 arch=('i686' 'x86_64') url="https://www.kernel.org/"; @@ -20,12 +20,11 @@ # standard config files for mkinitcpio ramdisk linux-lts.preset change-default-console-loglevel.patch -0001-sdhci-revert.patch -0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch) +0001-sdhci-revert.patch) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'SKIP' -'dded5f71d8533a38e8aafad224e0fe5f7d3a4eed1cfc1a79c321581e148821e8' +'96dfdcb3144509275bba3b3f8ad925b18f31a22dcab5abfd5a4b816977a4e8c3' 'SKIP' 'b11702727b1503e5a613946790978481d34d8ecc6870337fadd3ce1ef084a8e2' '68c7296ff2f5f55d69e83aa4d20f925df740b1eb1e6bdb0f13e8a170360ed09f' @@ -32,8 +31,7 @@ '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375' -'85954ac18da9dc1bec5df28e2f097d13016e39fa9631074f85b6364af340fcd9') +'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -45,9 +43,6 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 - patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" - # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, February 23, 2017 @ 17:22:40 Author: andyrtr Revision: 289441 upgpkg: linux-lts 4.4.50-2 apply fix for CVE-2017-6074 Added: linux-lts/trunk/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch Modified: linux-lts/trunk/PKGBUILD + 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 ++ PKGBUILD | 11 +- 2 files changed, 55 insertions(+), 3 deletions(-) Added: 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch === --- 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch (rev 0) +++ 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch 2017-02-23 17:22:40 UTC (rev 289441) @@ -0,0 +1,47 @@ +From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba347184bda9b3fe..8fedc2d497709b3d 100644 +--- a/net/dccp/input.c b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; +-- +2.11.1 + Modified: PKGBUILD === --- PKGBUILD2017-02-23 16:50:03 UTC (rev 289440) +++ PKGBUILD2017-02-23 17:22:40 UTC (rev 289441) @@ -5,7 +5,7 @@ #pkgbase=linux-lts-custom _srcname=linux-4.4 pkgver=4.4.50 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="https://www.kernel.org/"; license=('GPL2') @@ -20,7 +20,8 @@ # standard config files for mkinitcpio ramdisk linux-lts.preset change-default-console-loglevel.patch -0001-sdhci-revert.patch) +0001-sdhci-revert.patch +0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'SKIP' @@ -31,7 +32,8 @@ '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375') +'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375' +'85954ac18da9dc1bec5df28e2f097d13016e39fa9631074f85b6364af340fcd9') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -43,6 +45,9 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 + patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" + # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Saturday, December 10, 2016 @ 20:11:59 Author: andyrtr Revision: 283020 upgpkg: linux-lts 4.4.38-1 upstream update 4.4.38 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/fix_race_condition_in_packet_set_ring.diff + PKGBUILD | 14 +--- fix_race_condition_in_packet_set_ring.diff | 84 --- 2 files changed, 4 insertions(+), 94 deletions(-) Modified: PKGBUILD === --- PKGBUILD2016-12-10 19:46:55 UTC (rev 283019) +++ PKGBUILD2016-12-10 20:11:59 UTC (rev 283020) @@ -4,7 +4,7 @@ pkgbase=linux-lts #pkgbase=linux-lts-custom _srcname=linux-4.4 -pkgver=4.4.37 +pkgver=4.4.38 pkgrel=1 arch=('i686' 'x86_64') url="https://www.kernel.org/"; @@ -20,12 +20,11 @@ # standard config files for mkinitcpio ramdisk linux-lts.preset change-default-console-loglevel.patch -0001-sdhci-revert.patch -fix_race_condition_in_packet_set_ring.diff) +0001-sdhci-revert.patch) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'SKIP' -'1dfa256765585bf85a17b7129d717761e12338c654a3a3a803f1d967ccfa54f3' +'48ec169c7adda820973b3cb9c4c91c72bb69c86f530d149065491a20ef0c4057' 'SKIP' 'b11702727b1503e5a613946790978481d34d8ecc6870337fadd3ce1ef084a8e2' '68c7296ff2f5f55d69e83aa4d20f925df740b1eb1e6bdb0f13e8a170360ed09f' @@ -32,8 +31,7 @@ '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375' -'ad1ee95f906f88d31fcdb9273cd08e02e8eda177449f0c98dc1bff8cbf1483c2') +'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -45,10 +43,6 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" - # fix a race condition that allows to gain root - # https://marc.info/?l=linux-netdev&m=148054660230570&w=2 - patch -p1 -i "${srcdir}/fix_race_condition_in_packet_set_ring.diff" - # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git Deleted: fix_race_condition_in_packet_set_ring.diff === --- fix_race_condition_in_packet_set_ring.diff 2016-12-10 19:46:55 UTC (rev 283019) +++ fix_race_condition_in_packet_set_ring.diff 2016-12-10 20:11:59 UTC (rev 283020) @@ -1,84 +0,0 @@ -From: Philip Pettersson - -When packet_set_ring creates a ring buffer it will initialize a -struct timer_list if the packet version is TPACKET_V3. This value -can then be raced by a different thread calling setsockopt to -set the version to TPACKET_V1 before packet_set_ring has finished. - -This leads to a use-after-free on a function pointer in the -struct timer_list when the socket is closed as the previously -initialized timer will not be deleted. - -The bug is fixed by taking lock_sock(sk) in packet_setsockopt when -changing the packet version while also taking the lock at the start -of packet_set_ring. - -Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") -Signed-off-by: Philip Pettersson -Signed-off-by: Eric Dumazet - net/packet/af_packet.c | 18 -- - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index d2238b204691b8e4f2e3acb9bc167b553ba32d50..dd2332390c45bbff7c3fc5d259453f2e1ca352bf 100644 a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv - - if (optlen != sizeof(val)) - return -EINVAL; -- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) -- return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; - switch (val) { - case TPACKET_V1: - case TPACKET_V2: - case TPACKET_V3: -- po->tp_version = val; -- return 0; -+ break; - default: - return -EINVAL; - } -+ lock_sock(sk); -+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { -+ ret = -EBUSY; -+
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Tuesday, December 6, 2016 @ 12:06:47 Author: andyrtr Revision: 282873 upgpkg: linux-lts 4.4.36-1 upstream update 4.4.36; CVE-2016-8655 Added: linux-lts/trunk/fix_race_condition_in_packet_set_ring.diff Modified: linux-lts/trunk/PKGBUILD + PKGBUILD | 16 +++-- fix_race_condition_in_packet_set_ring.diff | 84 +++ 2 files changed, 95 insertions(+), 5 deletions(-) Modified: PKGBUILD === --- PKGBUILD2016-12-06 11:08:10 UTC (rev 282872) +++ PKGBUILD2016-12-06 12:06:47 UTC (rev 282873) @@ -4,10 +4,10 @@ pkgbase=linux-lts #pkgbase=linux-lts-custom _srcname=linux-4.4 -pkgver=4.4.35 +pkgver=4.4.36 pkgrel=1 arch=('i686' 'x86_64') -url="http://www.kernel.org/"; +url="https://www.kernel.org/"; license=('GPL2') makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc') options=('!strip') @@ -18,17 +18,19 @@ # standard config files for mkinitcpio ramdisk linux-lts.preset change-default-console-loglevel.patch -0001-sdhci-revert.patch) +0001-sdhci-revert.patch +fix_race_condition_in_packet_set_ring.diff) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'SKIP' -'5d0cc352645127191767e1c33f78c48dfdee7022fe425639a4c95a901d5e5c77' +'468ddfe3f29c314b40e32410c796fda9277620d50bc47b50fafc8a5a4c375e61' 'SKIP' 'b11702727b1503e5a613946790978481d34d8ecc6870337fadd3ce1ef084a8e2' '68c7296ff2f5f55d69e83aa4d20f925df740b1eb1e6bdb0f13e8a170360ed09f' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375') +'5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375' +'ad1ee95f906f88d31fcdb9273cd08e02e8eda177449f0c98dc1bff8cbf1483c2') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -40,6 +42,10 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" + # fix a race condition that allows to gain root + # https://marc.info/?l=linux-netdev&m=148054660230570&w=2 + patch -p1 -i "${srcdir}/fix_race_condition_in_packet_set_ring.diff" + # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git Added: fix_race_condition_in_packet_set_ring.diff === --- fix_race_condition_in_packet_set_ring.diff (rev 0) +++ fix_race_condition_in_packet_set_ring.diff 2016-12-06 12:06:47 UTC (rev 282873) @@ -0,0 +1,84 @@ +From: Philip Pettersson + +When packet_set_ring creates a ring buffer it will initialize a +struct timer_list if the packet version is TPACKET_V3. This value +can then be raced by a different thread calling setsockopt to +set the version to TPACKET_V1 before packet_set_ring has finished. + +This leads to a use-after-free on a function pointer in the +struct timer_list when the socket is closed as the previously +initialized timer will not be deleted. + +The bug is fixed by taking lock_sock(sk) in packet_setsockopt when +changing the packet version while also taking the lock at the start +of packet_set_ring. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Philip Pettersson +Signed-off-by: Eric Dumazet +--- + net/packet/af_packet.c | 18 -- + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index d2238b204691b8e4f2e3acb9bc167b553ba32d50..dd2332390c45bbff7c3fc5d259453f2e1ca352bf 100644 +--- a/net/packet/af_packet.c b/net/packet/af_packet.c +@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + switch (val) { + case TPACKET_V1: + case TPACKET_V2: + case TPACKET_V3: +- po->tp_version = val; +- return 0; ++ break; + default: + return -EINVAL; + } ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Friday, October 23, 2015 @ 21:07:32 Author: andyrtr Revision: 249690 upgpkg: linux-lts 4.1.11-1 rebuild for 4.1.11 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff -+ 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff | 37 -- PKGBUILD| 15 +--- 2 files changed, 5 insertions(+), 47 deletions(-) Deleted: 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff === --- 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff 2015-10-23 17:26:10 UTC (rev 249689) +++ 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff 2015-10-23 19:07:32 UTC (rev 249690) @@ -1,37 +0,0 @@ -From 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 13 Aug 2015 15:44:51 -0700 -Subject: inet: fix potential deadlock in reqsk_queue_unlink() - -When replacing del_timer() with del_timer_sync(), I introduced -a deadlock condition : - -reqsk_queue_unlink() is called from inet_csk_reqsk_queue_drop() - -inet_csk_reqsk_queue_drop() can be called from many contexts, -one being the timer handler itself (reqsk_timer_handler()). - -In this case, del_timer_sync() loops forever. - -Simple fix is to test if timer is pending. - -Fixes: 2235f2ac75fd ("inet: fix races with reqsk timers") -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 05e3145..1349571 100644 a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -593,7 +593,7 @@ static bool reqsk_queue_unlink(struct request_sock_queue *queue, - } - - spin_unlock(&queue->syn_wait_lock); -- if (del_timer_sync(&req->rsk_timer)) -+ if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) - reqsk_put(req); - return found; - } --- -cgit v0.10.2 - Modified: PKGBUILD === --- PKGBUILD2015-10-23 17:26:10 UTC (rev 249689) +++ PKGBUILD2015-10-23 19:07:32 UTC (rev 249690) @@ -4,8 +4,8 @@ pkgbase=linux-lts _srcname=linux-4.1 -pkgver=4.1.10 -pkgrel=2 +pkgver=4.1.11 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -17,18 +17,16 @@ 'config' 'config.x86_64' # standard config files for mkinitcpio ramdisk "$pkgbase.preset" -change-default-console-loglevel.patch -0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff) +change-default-console-loglevel.patch) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f' 'SKIP' -'929e210fe6dbd5dd26812c146630be14e979aae6c960a2feb39544babb8e73cb' +'f98156dd7ceac2849de16b38cdb7a530cd3c74833ab613e0822b7bc4583cccb1' 'SKIP' 'a3a17dec60161aa885c372a5edaa047f5e43044a66a5088e19392986eb8ea1a8' '70842d2c2bc56f4520bc021786e386634cb1b7adbfbdf704d048aefa65d59aa2' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' -'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' -'fd5dcb1847fc22f36892673066c801e818dce42d1f709dafa9f12bf8337024f3') +'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -42,9 +40,6 @@ # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git - - # fix network deadlocks; FS#46570 - patch -p1 -i ${srcdir}/0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Wednesday, October 7, 2015 @ 22:26:33 Author: andyrtr Revision: 248471 upgpkg: linux-lts 4.1.10-2 fix inet deadlock - FS#46570 Added: linux-lts/trunk/0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff Modified: linux-lts/trunk/PKGBUILD -+ 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff | 37 ++ PKGBUILD| 11 ++ 2 files changed, 45 insertions(+), 3 deletions(-) Added: 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff === --- 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff (rev 0) +++ 0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff 2015-10-07 20:26:33 UTC (rev 248471) @@ -0,0 +1,37 @@ +From 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 13 Aug 2015 15:44:51 -0700 +Subject: inet: fix potential deadlock in reqsk_queue_unlink() + +When replacing del_timer() with del_timer_sync(), I introduced +a deadlock condition : + +reqsk_queue_unlink() is called from inet_csk_reqsk_queue_drop() + +inet_csk_reqsk_queue_drop() can be called from many contexts, +one being the timer handler itself (reqsk_timer_handler()). + +In this case, del_timer_sync() loops forever. + +Simple fix is to test if timer is pending. + +Fixes: 2235f2ac75fd ("inet: fix races with reqsk timers") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 05e3145..1349571 100644 +--- a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +@@ -593,7 +593,7 @@ static bool reqsk_queue_unlink(struct request_sock_queue *queue, + } + + spin_unlock(&queue->syn_wait_lock); +- if (del_timer_sync(&req->rsk_timer)) ++ if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) + reqsk_put(req); + return found; + } +-- +cgit v0.10.2 + Modified: PKGBUILD === --- PKGBUILD2015-10-07 19:22:32 UTC (rev 248470) +++ PKGBUILD2015-10-07 20:26:33 UTC (rev 248471) @@ -5,7 +5,7 @@ pkgbase=linux-lts _srcname=linux-4.1 pkgver=4.1.10 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -17,7 +17,8 @@ 'config' 'config.x86_64' # standard config files for mkinitcpio ramdisk "$pkgbase.preset" -'change-default-console-loglevel.patch') +change-default-console-loglevel.patch +0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f' 'SKIP' @@ -26,7 +27,8 @@ 'a3a17dec60161aa885c372a5edaa047f5e43044a66a5088e19392986eb8ea1a8' '70842d2c2bc56f4520bc021786e386634cb1b7adbfbdf704d048aefa65d59aa2' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' -'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') +'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' +'fd5dcb1847fc22f36892673066c801e818dce42d1f709dafa9f12bf8337024f3') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -40,6 +42,9 @@ # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git + + # fix network deadlocks; FS#46570 + patch -p1 -i ${srcdir}/0001_inet_fix_potential_deadlock_in_reqsk_queue_unlink.diff # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Friday, May 22, 2015 @ 06:03:18 Author: foutrelis Revision: 239654 upgpkg: linux-lts 3.14.43-2 Add proposed fix for data loss on md raid0 when discard is used (FS#45040). Added: linux-lts/trunk/md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch Modified: linux-lts/trunk/PKGBUILD + PKGBUILD |7 + md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch | 50 +++ 2 files changed, 56 insertions(+), 1 deletion(-) Modified: PKGBUILD === --- PKGBUILD2015-05-22 04:03:07 UTC (rev 239653) +++ PKGBUILD2015-05-22 04:03:18 UTC (rev 239654) @@ -5,7 +5,7 @@ pkgbase=linux-lts _srcname=linux-3.14 pkgver=3.14.43 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -22,6 +22,7 @@ '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' '0006-genksyms-fix-typeof-handling.patch' +'md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch' 'gcc5_buildfixes.diff' ) # https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc @@ -37,6 +38,7 @@ '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' 'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' +'bc83293e64653d60793708a0e277741f57c018f5ea3551a8aff3a220df917ceb' '470d6d019d288dce02b4a9758a34ea71d41715663a19a164749212a470a131e7') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) @@ -56,6 +58,9 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" + # https://bugzilla.kernel.org/show_bug.cgi?id=98501 + patch -Np1 -i "${srcdir}/md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch" + # buildfixes for gcc5 # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/scsi/qla2xxx/qla_nx2.c?id=9493c2422cae272d6f1f567cbb424195defe4176 # https://lkml.org/lkml/2014/11/9/27 Added: md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch === --- md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch (rev 0) +++ md-raid0-fix-restore-to-sector-variable-in-raid0_mak.patch 2015-05-22 04:03:18 UTC (rev 239654) @@ -0,0 +1,50 @@ +From a81157768a00e8cf8a7b43b5ea5cac931262374f Mon Sep 17 00:00:00 2001 +From: Eric Work +Date: Mon, 18 May 2015 23:26:23 -0700 +Subject: [PATCH] md/raid0: fix restore to sector variable in + raid0_make_request + +The variable "sector" in "raid0_make_request()" was improperly updated +by a call to "sector_div()" which modifies its first argument in place. +Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable +after the call for later re-use. Unfortunetly the restore was done after +the referenced variable "bio" was advanced. This lead to the original +value and the restored value being different. Here we move this line to +the proper place. + +One observed side effect of this bug was discarding a file though +unlinking would cause an unrelated file's contents to be discarded. + +Signed-off-by: NeilBrown +Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.") +Cc: sta...@vger.kernel.org (any that received above backport) +URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501 +--- + drivers/md/raid0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 6a68ef5..efb654e 100644 +--- a/drivers/md/raid0.c b/drivers/md/raid0.c +@@ -524,6 +524,9 @@ static void raid0_make_request(struct mddev *mddev, struct bio *bio) +? (sector & (chunk_sects-1)) +: sector_div(sector, chunk_sects)); + ++ /* Restore due to sector_div */ ++ sector = bio->bi_iter.bi_sector; ++ + if (sectors < bio_sectors(bio)) { + split = bio_split(bio, sectors, GFP_NOIO, fs_bio_set); + bio_chain(split, bio); +@@ -531,7 +534,6 @@ static void raid0_make_request(struct mddev *mddev, struct bio *bio) + split = bio; + } + +- sector = bio->bi_iter.bi_sector; + zone = find_zone(mddev->private, §or); + tmp_dev = map_sector(mddev, zone, sector, §or); + split->bi_bdev = tmp_dev->bdev; +-- +2.4.1 +
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Sunday, April 19, 2015 @ 13:33:49 Author: andyrtr Revision: 237454 upgpkg: linux-lts 3.14.39-1 upstream update 3.14.39 Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-fix-btrfs-mount-deadlock.patch -+ 0001-fix-btrfs-mount-deadlock.patch | 43 -- PKGBUILD| 12 ++--- 2 files changed, 3 insertions(+), 52 deletions(-) Deleted: 0001-fix-btrfs-mount-deadlock.patch === --- 0001-fix-btrfs-mount-deadlock.patch 2015-04-19 11:26:33 UTC (rev 237453) +++ 0001-fix-btrfs-mount-deadlock.patch 2015-04-19 11:33:49 UTC (rev 237454) @@ -1,43 +0,0 @@ -From 9c4f61f01d269815bb7c37be3ede59c5587747c6 Mon Sep 17 00:00:00 2001 -From: David Sterba -Date: Fri, 2 Jan 2015 19:12:57 +0100 -Subject: btrfs: simplify insert_orphan_item - -We can search and add the orphan item in one go, -btrfs_insert_orphan_item will find out if the item already exists. - -Signed-off-by: David Sterba - -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index 5be45c1..25a1c36 100644 a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -1254,21 +1254,13 @@ out: - } - - static int insert_orphan_item(struct btrfs_trans_handle *trans, --struct btrfs_root *root, u64 offset) -+struct btrfs_root *root, u64 ino) - { - int ret; -- struct btrfs_path *path; -- -- path = btrfs_alloc_path(); -- if (!path) -- return -ENOMEM; - -- ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID, -- offset, BTRFS_ORPHAN_ITEM_KEY, NULL); -- if (ret > 0) -- ret = btrfs_insert_orphan_item(trans, root, offset); -- -- btrfs_free_path(path); -+ ret = btrfs_insert_orphan_item(trans, root, ino); -+ if (ret == -EEXIST) -+ ret = 0; - - return ret; - } --- -cgit v0.10.2 - Modified: PKGBUILD === --- PKGBUILD2015-04-19 11:26:33 UTC (rev 237453) +++ PKGBUILD2015-04-19 11:33:49 UTC (rev 237454) @@ -4,7 +4,7 @@ pkgbase=linux-lts _srcname=linux-3.14 -pkgver=3.14.38 +pkgver=3.14.39 pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; @@ -22,12 +22,11 @@ '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' '0006-genksyms-fix-typeof-handling.patch' -'0001-fix-btrfs-mount-deadlock.patch' ) # https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' 'SKIP' -'f03ac0a2656bb4c7d8532af67b74057f1a0cce1f7d43f5019b18c6edf3a7933a' +'9c50ad5aacfbb8c6f8c3666e305a23d50c922ea0a13dbf44a8e15a9637f1d880' 'SKIP' '999486d20e07e489bb42356b529b739c65ad65de9191282f0ddbbc0eb9b1718e' '140098de1ba714c5916ea76578b8bf549ce801c4aa0c786b7c90289b85ecdb77' @@ -36,8 +35,7 @@ '6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02' '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' -'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' -'5967cf53cb9db9f070e8f346c3d7045748e4823a7fe2ee330acd18c9d02bbb77') +'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -68,10 +66,6 @@ # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18 patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch" - # fix #44495 and #44385 deadlock on btrfs mount - # https://btrfs.wiki.kernel.org/index.php/Gotchas - patch -Np1 -i "${srcdir}/0001-fix-btrfs-mount-deadlock.patch" - if [ "${CARCH}" = "x86_64" ]; then cat "${srcdir}/config.x86_64" > ./.config else
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Sunday, April 12, 2015 @ 19:49:03 Author: andyrtr Revision: 236310 upgpkg: linux-lts 3.14.37-2 fix btrfs deadlock on mount Added: linux-lts/trunk/0001-fix-btrfs-mount-deadlock.patch Modified: linux-lts/trunk/PKGBUILD -+ 0001-fix-btrfs-mount-deadlock.patch | 43 ++ PKGBUILD| 10 ++- 2 files changed, 51 insertions(+), 2 deletions(-) Added: 0001-fix-btrfs-mount-deadlock.patch === --- 0001-fix-btrfs-mount-deadlock.patch (rev 0) +++ 0001-fix-btrfs-mount-deadlock.patch 2015-04-12 17:49:03 UTC (rev 236310) @@ -0,0 +1,43 @@ +From 9c4f61f01d269815bb7c37be3ede59c5587747c6 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 2 Jan 2015 19:12:57 +0100 +Subject: btrfs: simplify insert_orphan_item + +We can search and add the orphan item in one go, +btrfs_insert_orphan_item will find out if the item already exists. + +Signed-off-by: David Sterba + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 5be45c1..25a1c36 100644 +--- a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +@@ -1254,21 +1254,13 @@ out: + } + + static int insert_orphan_item(struct btrfs_trans_handle *trans, +-struct btrfs_root *root, u64 offset) ++struct btrfs_root *root, u64 ino) + { + int ret; +- struct btrfs_path *path; +- +- path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; + +- ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID, +- offset, BTRFS_ORPHAN_ITEM_KEY, NULL); +- if (ret > 0) +- ret = btrfs_insert_orphan_item(trans, root, offset); +- +- btrfs_free_path(path); ++ ret = btrfs_insert_orphan_item(trans, root, ino); ++ if (ret == -EEXIST) ++ ret = 0; + + return ret; + } +-- +cgit v0.10.2 + Modified: PKGBUILD === --- PKGBUILD2015-04-12 16:11:33 UTC (rev 236309) +++ PKGBUILD2015-04-12 17:49:03 UTC (rev 236310) @@ -5,7 +5,7 @@ pkgbase=linux-lts _srcname=linux-3.14 pkgver=3.14.37 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -22,6 +22,7 @@ '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' '0006-genksyms-fix-typeof-handling.patch' +'0001-fix-btrfs-mount-deadlock.patch' ) # https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' @@ -35,7 +36,8 @@ '6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02' '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' -'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7') +'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' +'5967cf53cb9db9f070e8f346c3d7045748e4823a7fe2ee330acd18c9d02bbb77') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) ) @@ -66,6 +68,10 @@ # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18 patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch" + # fix #44495 and #44385 deadlock on btrfs mount + # https://btrfs.wiki.kernel.org/index.php/Gotchas + patch -Np1 -i "${srcdir}/0001-fix-btrfs-mount-deadlock.patch" + if [ "${CARCH}" = "x86_64" ]; then cat "${srcdir}/config.x86_64" > ./.config else
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, August 14, 2014 @ 08:14:31 Author: bpiotrowski Revision: 219733 upgpkg: linux-lts 3.14.17-1 new upstream release Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch ---+ PKGBUILD | 13 +++--- net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch | 12 - 2 files changed, 4 insertions(+), 21 deletions(-) Modified: PKGBUILD === --- PKGBUILD2014-08-14 06:02:18 UTC (rev 219732) +++ PKGBUILD2014-08-14 06:14:31 UTC (rev 219733) @@ -4,8 +4,8 @@ pkgbase=linux-lts _srcname=linux-3.14 -pkgver=3.14.16 -pkgrel=2 +pkgver=3.14.17 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -22,11 +22,10 @@ '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' '0006-genksyms-fix-typeof-handling.patch' -'net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch' ) # https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' -'3d3e79fd9795812f293aa38799c056aaea0f14da8294b31067f7768e9f38db2d' +'50b0e2a6812597b401a417bd1269b5388fdd980b6009d564fff09605100f0df8' '4c05b88384ee809120da06e6a3d0bbafb7cdfe6208b2e62237aaeaa25dfb29b7' 'a5b318c7fd21c1be2ac262d1b919d50bacedd0c841e9a82e7bca53d5b25b217b' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' @@ -34,8 +33,7 @@ '6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02' '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' -'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' -'7e5cd2df597ea9235c41957d019d6afd769213a068a4bfa38796b18abe048d25') +'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7') _kernelname=${pkgbase#linux} @@ -64,9 +62,6 @@ # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18 patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch" - # fixes NULL pointer dereference in net/sctp - patch -p1 -i "${srcdir}"/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch - if [ "${CARCH}" = "x86_64" ]; then cat "${srcdir}/config.x86_64" > ./.config else Deleted: net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch === --- net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch 2014-08-14 06:02:18 UTC (rev 219732) +++ net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch 2014-08-14 06:14:31 UTC (rev 219733) @@ -1,12 +0,0 @@ -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index 9de23a2..06a9ee6 100644 a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc, - asoc->c = new->c; - asoc->peer.rwnd = new->peer.rwnd; - asoc->peer.sack_needed = new->peer.sack_needed; -+ asoc->peer.auth_capable = new->peer.auth_capable; - asoc->peer.i = new->peer.i; - sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, -asoc->peer.i.initial_tsn, GFP_ATOMIC);
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Wednesday, August 13, 2014 @ 10:43:33 Author: bpiotrowski Revision: 219659 upgpkg: linux-lts 3.14.16-2 fix NULL pointer dereference in net/sctp (FS#41329) Added: linux-lts/trunk/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch Modified: linux-lts/trunk/PKGBUILD ---+ PKGBUILD |9 +-- net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch | 12 ++ 2 files changed, 19 insertions(+), 2 deletions(-) Modified: PKGBUILD === --- PKGBUILD2014-08-13 08:13:59 UTC (rev 219658) +++ PKGBUILD2014-08-13 08:43:33 UTC (rev 219659) @@ -5,7 +5,7 @@ pkgbase=linux-lts _srcname=linux-3.14 pkgver=3.14.16 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -22,6 +22,7 @@ '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' '0006-genksyms-fix-typeof-handling.patch' +'net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch' ) # https://www.kernel.org/pub/linux/kernel/v3.x/sha256sums.asc sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' @@ -33,7 +34,8 @@ '6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02' '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' -'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7') +'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' +'7e5cd2df597ea9235c41957d019d6afd769213a068a4bfa38796b18abe048d25') _kernelname=${pkgbase#linux} @@ -62,6 +64,9 @@ # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18 patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch" + # fixes NULL pointer dereference in net/sctp + patch -p1 -i "${srcdir}"/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch + if [ "${CARCH}" = "x86_64" ]; then cat "${srcdir}/config.x86_64" > ./.config else Added: net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch === --- net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch (rev 0) +++ net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch 2014-08-13 08:43:33 UTC (rev 219659) @@ -0,0 +1,12 @@ +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 9de23a2..06a9ee6 100644 +--- a/net/sctp/associola.c b/net/sctp/associola.c +@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, +asoc->peer.i.initial_tsn, GFP_ATOMIC);
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Tuesday, May 13, 2014 @ 15:51:20 Author: bpiotrowski Revision: 212335 upgpkg: linux-lts 3.10.40-1 new upstream release Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch -+ 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch | 83 -- PKGBUILD| 15 - 2 files changed, 5 insertions(+), 93 deletions(-) Deleted: 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch === --- 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-05-13 10:35:01 UTC (rev 212334) +++ 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-05-13 13:51:20 UTC (rev 212335) @@ -1,83 +0,0 @@ -From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 -From: Peter Hurley -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - AB -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby -Signed-off-by: Peter Hurley -Signed-off-by: Jiri Slaby -Cc: Linus Torvalds -Cc: Alan Cox -Cc: -Signed-off-by: Greg Kroah-Hartman - drivers/tty/n_tty.c | 4 - 1 file changed, 4 insertions(+) - -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 41fe8a0..fe9d129 100644 a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, - if (tty->ops->flush_chars) - tty->ops->flush_chars(tty); - } else { -+ struct n_tty_data *ldata = tty->disc_data; -+ - while (nr > 0) { -+ mutex_lock(&ldata->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&ldata->output_lock); - if (c < 0) { - retval = c; - goto break_out; --- -1.9.2 - Modified: PKGBUILD === --- PKGBUILD2014-05-13 10:35:01 UTC (rev 212334) +++ PKGBUILD2014-05-13 13:51:20 UTC (rev 212335) @@ -5,8 +5,8 @@ pkgbase=linux-lts # Build stock -lts kernel #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-3.10 -pkgver=3.10.39 -pkgrel=2 +pkgver=3.10.40 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -19,16 +19,14 @@ # standard config files for mkinitcpio ramdisk 'linux-lts.preset' 'change-default-console-loglevel.patch' -'criu-no-expert.patch' -'0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch') +'criu-no-expert.patch') md5sums=('4f25cd5bec5f8d5a7d935b3f2ccb8481' - 'bfb4feed5a0c28bc0cb57b47bb6aed57' + '1d771c285df9c45991fdee5d3e4a
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Tuesday, May 13, 2014 @ 10:23:48 Author: bpiotrowski Revision: 212332 upgpkg: linux-lts 3.10.39-2 fix CVE-2014-0196 Added: linux-lts/trunk/0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch Modified: linux-lts/trunk/PKGBUILD -+ 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch | 83 ++ PKGBUILD| 11 - 2 files changed, 91 insertions(+), 3 deletions(-) Added: 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch === --- 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch (rev 0) +++ 0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-05-13 08:23:48 UTC (rev 212332) @@ -0,0 +1,83 @@ +From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Sat, 3 May 2014 14:04:59 +0200 +Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode + +The tty atomic_write_lock does not provide an exclusion guarantee for +the tty driver if the termios settings are LECHO & !OPOST. And since +it is unexpected and not allowed to call TTY buffer helpers like +tty_insert_flip_string concurrently, this may lead to crashes when +concurrect writers call pty_write. In that case the following two +writers: +* the ECHOing from a workqueue and +* pty_write from the process +race and can overflow the corresponding TTY buffer like follows. + +If we look into tty_insert_flip_string_fixed_flag, there is: + int space = __tty_buffer_request_room(port, goal, flags); + struct tty_buffer *tb = port->buf.tail; + ... + memcpy(char_buf_ptr(tb, tb->used), chars, space); + ... + tb->used += space; + +so the race of the two can result in something like this: + AB +__tty_buffer_request_room + __tty_buffer_request_room +memcpy(buf(tb->used), ...) +tb->used += space; + memcpy(buf(tb->used), ...) ->BOOM + +B's memcpy is past the tty_buffer due to the previous A's tb->used +increment. + +Since the N_TTY line discipline input processing can output +concurrently with a tty write, obtain the N_TTY ldisc output_lock to +serialize echo output with normal tty writes. This ensures the tty +buffer helper tty_insert_flip_string is not called concurrently and +everything is fine. + +Note that this is nicely reproducible by an ordinary user using +forkpty and some setup around that (raw termios + ECHO). And it is +present in kernels at least after commit +d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to +use the normal buffering logic) in 2.6.31-rc3. + +js: add more info to the commit log +js: switch to bool +js: lock unconditionally +js: lock only the tty->ops->write call + +References: CVE-2014-0196 +Reported-and-tested-by: Jiri Slaby +Signed-off-by: Peter Hurley +Signed-off-by: Jiri Slaby +Cc: Linus Torvalds +Cc: Alan Cox +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_tty.c | 4 + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 41fe8a0..fe9d129 100644 +--- a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + if (tty->ops->flush_chars) + tty->ops->flush_chars(tty); + } else { ++ struct n_tty_data *ldata = tty->disc_data; ++ + while (nr > 0) { ++ mutex_lock(&ldata->output_lock); + c = tty->ops->write(tty, b, nr); ++ mutex_unlock(&ldata->output_lock); + if (c < 0) { + retval = c; + goto break_out; +-- +1.9.2 + Modified: PKGBUILD === --- PKGBUILD2014-05-13 06:14:37 UTC (rev 212331) +++ PKGBUILD2014-05-13 08:23:48 UTC (rev 212332) @@ -6,7 +6,7 @@ #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-3.10 pkgver=3.10.39 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -19,7 +19,8 @@ # standard config files for mkinitcpio ramdisk 'linux-lts.preset' 'change-default-console-loglevel.patch' -'criu-no-expert.patch') +'criu-no-expert.patch' +'0001-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch') md5sums=('4f25cd5bec5f8d5a7d935b3f2ccb8481' 'bfb4feed5a0c28bc0cb57b47bb6aed57' '45368ef5c1d03d375c31dcecabc5f0dd' @@ -26,7 +27,8 @@ 'bf297cf1c74b06552b1013a09a27692f' '232b5
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Thursday, February 6, 2014 @ 23:42:03 Author: bpiotrowski Revision: 205544 upgpkg: linux-lts 3.10.29-1 new upstream release Modified: linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch -+ 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch | 80 -- PKGBUILD| 15 - 2 files changed, 5 insertions(+), 90 deletions(-) Deleted: 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch === --- 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch 2014-02-06 20:55:32 UTC (rev 205543) +++ 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch 2014-02-06 22:42:03 UTC (rev 205544) @@ -1,80 +0,0 @@ -From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 -From: PaX Team -Date: Thu, 30 Jan 2014 16:59:25 -0800 -Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel - -The x32 case for the recvmsg() timout handling is broken: - - asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - unsigned int vlen, unsigned int flags, - struct compat_timespec __user *timeout) - { - int datagrams; - struct timespec ktspec; - - if (flags & MSG_CMSG_COMPAT) - return -EINVAL; - - if (COMPAT_USE_64BIT_TIME) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, -flags | MSG_CMSG_COMPAT, -(struct timespec *) timeout); - ... - -The timeout pointer parameter is provided by userland (hence the __user -annotation) but for x32 syscalls it's simply cast to a kernel pointer -and is passed to __sys_recvmmsg which will eventually directly -dereference it for both reading and writing. Other callers to -__sys_recvmmsg properly copy from userland to the kernel first. - -The bug was introduced by commit ee4fa23c4bfc ("compat: Use -COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels -since 3.4 (and perhaps vendor kernels if they backported x32 support -along with this code). - -Note that CONFIG_X86_X32_ABI gets enabled at build time and only if -CONFIG_X86_X32 is enabled and ld can build x32 executables. - -Other uses of COMPAT_USE_64BIT_TIME seem fine. - -This addresses CVE-2014-0038. - -Signed-off-by: PaX Team -Signed-off-by: H. Peter Anvin -Cc: # v3.4+ -Signed-off-by: Linus Torvalds - net/compat.c | 9 ++--- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/net/compat.c b/net/compat.c -index dd32e34..f50161f 100644 a/net/compat.c -+++ b/net/compat.c -@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - if (flags & MSG_CMSG_COMPAT) - return -EINVAL; - -- if (COMPAT_USE_64BIT_TIME) -- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, --flags | MSG_CMSG_COMPAT, --(struct timespec *) timeout); -- - if (timeout == NULL) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, NULL); - -- if (get_compat_timespec(&ktspec, timeout)) -+ if (compat_get_timespec(&ktspec, timeout)) - return -EFAULT; - - datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, &ktspec); -- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) -+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) - datagrams = -EFAULT; - - return datagrams; --- -1.8.5.3 - Modified: PKGBUILD === --- PKGBUILD2014-02-06 20:55:32 UTC (rev 205543) +++ PKGBUILD2014-02-06 22:42:03 UTC (rev 205544) @@ -5,8 +5,8 @@ pkgbase=linux-lts # Build stock -lts kernel #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-3.10 -pkgver=3.10.28 -pkgrel=1.1 +pkgver=3.10.29 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -19,16 +19,14 @@ # standard config files for mkinitcpio ramdisk 'linux-lts.preset' 'change-default-console-loglevel.patch' -'criu-no-expert.patch' -'0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch') +'criu-no-expert.patch') md5sums=('4f25cd5bec5f8d5a7d935b3f2ccb8481' - '34514ae21798afcf2a8dc3c77f2714a6' + 'be6e9556b5e967ff26e999de62ac1118' '45368ef5c1d03d375c31dcecabc5f0dd'
[arch-commits] Commit in linux-lts/trunk (2 files)
Date: Friday, January 31, 2014 @ 17:13:52 Author: bpiotrowski Revision: 204934 upgpkg: linux-lts 3.10.28-1.1 fix CVE-2014-0038 Added: linux-lts/trunk/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch Modified: linux-lts/trunk/PKGBUILD -+ 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch | 80 ++ PKGBUILD| 13 + 2 files changed, 89 insertions(+), 4 deletions(-) Added: 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch === --- 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch (rev 0) +++ 0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch 2014-01-31 16:13:52 UTC (rev 204934) @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +flags | MSG_CMSG_COMPAT, +(struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team +Signed-off-by: H. Peter Anvin +Cc: # v3.4+ +Signed-off-by: Linus Torvalds +--- + net/compat.c | 9 ++--- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +-flags | MSG_CMSG_COMPAT, +-(struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + Modified: PKGBUILD === --- PKGBUILD2014-01-31 15:44:02 UTC (rev 204933) +++ PKGBUILD2014-01-31 16:13:52 UTC (rev 204934) @@ -6,7 +6,7 @@ #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-3.10 pkgver=3.10.28 -pkgrel=1 +pkgrel=1.1 arch=('i686' 'x86_64') url="http://www.kernel.org/"; license=('GPL2') @@ -19,7 +19,8 @@ # standard config files for mkinitcpio ramdisk 'linux-lts.preset' 'change-default-console-loglevel.patch' -'criu-no-expert.patch') +'criu-no-expert.patch' +'0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch') md5sums=('4f25cd5bec5f8d5a7d935b3f2ccb8481' '34514ae21798afcf2a8dc3c77f2714a6' '45368ef5c1d03d375c31dcecabc5f0dd' @@ -26,7 +27,8 @@ 'bf297cf1c74b06552b1013a09a27692f' '232b52576a62c7a333e9fe7a1e1ca359' 'f3def2cefdc